Tutorial: How to Configure SAML with PingFederate SSO
This is a step-by-step guide for configuring SAML on Access Server with PingFederate SSO.
Overview
Access Server 2.11 and newer supports SAML authentication with PingFederate SSO as the identity provider. You can configure this in PingFederate with Access Server as your service provider.
The following steps walk you through enabling SAML authentication for users and groups from PingFederate SSO to Access Server.
Prerequisites
You need the following to get started:
An installed PingFederate server.
A deployed Access Server.
With PingFederate, you must create a custom SAML application.
Now that you have your SP information, you can create a new PingFederate SAML app and enter that information during app creation.
Create a new SP connection
Sign in to your PingFederate admin portal.
Go to Applications → Applications → SP Connections.
Click Create Connection.
On the Connection Template tab, click Do not use a template for this connection, and click Next.
On the Connection Type tab, select the Browser SSO Profiles checkbox.
For Protocol, select SAML 2.0, and click Next.
On the Connection options tab, leave Browser SSO selected, and click Next.
Enter the Access Server SP data
On the Import metadata tab, leave None selected and click Next.
On the General Info tab, use the SP information from Access Server to enter the following:
PARTNER'S ENTITY ID: Enter the Access Server SP Identity.
CONNECTION NAME: Enter something meaningful (e.g., OpenVPN-AS).
VIRTUAL SERVER IDS: Leave this field empty.
BASE URL: Enter the Access Server SP ACS.
Click Next to proceed.
Configure Browser SSO settings
On the Browser SSO tab, click Configure Browser SSO.
Select IDP-INITIATED SSO and SP-INITIATED SSO, and click Next.
Accept defaults on the Assertion Lifetime tab and click Next.
Configure Assertion Creation
On the Assertion Creation tab, click Configure Assertion Creation.
Select STANDARD, and click Next.
On the Attribute Contract tab, ensure SAML_SUBJECT uses
urn:oasis:names:tc:SAML1.1:nameid-format:unspecified, then click Next.On the Authentication Source Mapping tab, click Map New Adapter Instance and select your adapter.
For Mapping Method, select Use only the adapter contract values in the SAML assertion.
For Attribute Contract Fulfillment, set Source to Adapter and Value to username.
Click Next through the Issuance Criteria and Summary tabs.
Configure Protocol Settings
On the Protocol Settings tab, click Configure Protocol Settings.
Set the Binding to POST and the Endpoint URL to
/saml/acs.Under Signature Policy, select Always sign assertion and Sign response as required.
Accept defaults on Encryption Policy and Summary, then click Done.
Configure Credentials
Go to the Credentials tab and click Configure Credentials.
Under Digital Signature Settings, select a signing certificate, then click Next → Done.
Click Next through the remaining tabs until you reach Activation & Summary.
Click Save to finalize the connection.
Export the PingFederate metadata
Return to the SP Connections list.
Click Selection Action → Export Metadata to download the PingFederate metadata file.
The simplest way to set up PingOne SAML for Access Server is to provide the metadata XML file.
Upload the PingFederate metadata file in the Admin Web UI
Provide the downloaded metadata XML file to your Access Server through the Admin Web UI to automatically configure SAML:
Sign in to your Access Server Admin Web UI.
Click Authentication > SAML.
Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.
Click Choose File for Select IdP Metadata File.
Select your PingFederate metadata XML file, click Upload and Update Running Server.
The IdP fields are now populated under Configure Identity Provider (IdP) Manually.